11 Security Sights Seen Only At Black Hat

The 2012 Black Hat conference in Las Vegas saw 6,500 information security aficionados descending on Sin City in late July to sharpen their security mojo via hands-on training sessions and briefings, bookended by keynote presentations from the FBI's former top cyber cop, Shawn Henry, as well as an onstage "fireside chat" with renowned cyberpunk author Neal Stephenson.

The Black Hat origin story is simple: Twenty years ago, Jeff Moss founded DEF CON for hackers to share security knowledge and hijinks, with a bargain-basement conference venue and rooms--thanks, in part, to it being the height of summer in a dessert. Cue dodgy digs. Just five years later, however, Moss debuted the more corporate Black Hat conference, to help take the offensive techniques honed by hackers at DEF CON and disseminate them to information security professionals.

Black Hat, now hosted several times a year in various locations worldwide, in 2012 marked its 15th year in Las Vegas. The site for this year's conference, as in recent years, was Caesar's Palace. In a city famous for its lack of subtlety, Caesar's--tagline: "In Vegas, we'll always have Rome"--is a relatively up-market entry in the Las Vegas Strip landscape, boasting not just well-appointed and sprawling suites, casinos, and an eight-acre footprint, but also onsite replicas of everything from classical statues and the Coliseum to the Roman Forum and Trevi Fountain.

Inside the conference venue, this year's training sessions covered everything from how to intercept secure communications and respond to data breaches, to advanced Windows exploitation techniques and learning how to take down botnets by first building your own. This year's briefings, meanwhile, were organized into such tracks as Big Picture, Web Apps, Enterprise Intrigue, 92.2% Market Share (a.k.a. Windows), Over The Air And In The Device, and Mass Effect, as well as applied workshops such as The Dark Art of iOS Application Hacking.

If the spectacle of the black-clad hacker elite hitting Vegas head on--storming conference floors by day, bars and dance clubs by night, mixed with pool time to counter the 106 (and above) degree heat--seems incongruous, the city didn't let it show. In fact, Caesar's even hacked its own Roman conceit, signaling its support for the information security set by adorning its own copy of Michelangelo's statue of David, in all its naked glory, with an enormous, oversized black hat.

Caesar's Palace statue of David in a black hat. Photograph by Mathew J. Schwartz.

A team from the University of Washington detailed its Control-Alt-Hack card game at this year's Black Hat, which uses game mechanics licensed from Steve Jackson Games. The game--for three to six players, ages 14 and up, with a playing time of about an hour--puts players in the shoes of employees of a small, elite, white-hat hacking firm. Set to debut this fall and retail for about $30 per copy, the developers--thanks to grants from Intel, the National Science Foundation, and the Association for Computing Machinery--are also making some copies available for free to educators.

Control-Alt-Hack co-creator Tamara Denning, a PhD student at the University of Washington, shows off printer proofs of the Control-Alt-Hack card game. Photograph by Mathew J. Schwartz.

When it comes to hardware hacking, Black Hat is on a roll. Last year, it was insulin pumps. This year, software engineer Cody Brocious demonstrated how he could hack certain types of hotel locks made by Onity, which claims about 50% of the hotel lock market share, with between 4 million and 10 million such locks in circulation.

As with most security hardware, such locks are expensive, designed to be infrequently replaced, and (in the case of the model hacked by Brocious) packaged with firmware that can't be updated. Brocious noted that it took him six to nine months to reverse-engineer the system. His initial goal was to build a better system, but when he quickly found a way to defeat the locks he scuttled his commercial initiative. "The vulnerability itself is very, very simple," he said. Using his exploit to unlock the locks isn't always reliable and still requires further refinement to overcome tricky data-communication timing issues, but it only requires $40 in parts.

What technology conference would be complete without the requisite swag? This year's at-capacity show floor didn't disappoint, with two especially airline-security-friendly freebies scoring top popularity marks: A green tube gun that pumped out ping-pong balls, and a battery-operated ninja sword with light-up display and sound effects.

Talk about a security first: Apple, which normally details no security vulnerability--or even admits to its existence--before patching, sent Dallas De Atley, manager of Apple's platform security team, to deliver a highly polished overview of current iOS security to a near-capacity conference room crowd.

While Apple earned kudos from security experts for simply showing up, others questioned whether the technology firm couldn't have opened more of a dialog with attendees, for example detailing future security refinements they're pursuing, or providing a more candid look at iOS security successes and failures. But the session ended with no allowance for audience questions, and De Atley swiftly departing through a side door.

Invalidating popular myths about the incompatibility of hardcore coders and sunlight, the conference featured well-attended cabana parties, for example at the Caesar's Palace Neptune pool. Attendees mixed security talk with mojitos, pool time, and water sports, despite the 106-degree heat. The social events highlighted that--beyond the briefings and trainings--the conference serves a valuable networking purpose.

"We come to Black Hat every year to find the people who understand secure coding," said Jennifer Stitt, talent acquisition manager for security consulting firm Cigital.

The opening Black Hat keynote was delivered by Shawn Henry, president of CrowdStrike. Until March 2012, Henry was the executive assistant director of the FBI, and oversaw numerous aspects of the bureau, including cyber investigations and international investigations. Based on his experience, Henry warned the crowd that the "cyber" threats the public sees pale in comparison to what the government has been seeing, though, of course, such information is classified.

Despite that warning, however, a populist revolt seemed to emerge in the conference, as any presenter's use of the word "cyber" or "APT"--for advanced persistent threat--began drawing immediate fits of coughing or collective shouts of "BS!" (in its unabbreviated form).

Hacking card readers--for fun, profit, or hotel-room entry--was a leading theme at this year's Black Hat. One of the more elegant, related attacks demonstrated involved a memory corruption vulnerability in some point-of-sale (POS) credit and debit card readers, detailed by "Nils," head of security research at MWR InfoSecurity, and security consultant Rafael Dominguez Vega.

While their attack has three variations, including targeting the magnetic-stripe card readers used in the United States, arguably the most interesting version targets chip-and-PIN smartcards used in Europe, which require the user to enter a PIN to authorize in-person transactions. But Nils and Vega detailed how a malicious smartcard could be used to rewrite the software running on the terminal, providing fake authorization that a transaction went through, or instructing it to record all credit card numbers and PIN codes that it sees. At the end of the day, an attacker could return to purchase goods and "pay" with a smartcard programmed to retrieve and store all data seen by the POS terminal during the day.

No Black Hat would be complete without long lines of people waiting to pony up $200--cash only (though with a $50 discount for Black Hat attendees)--for an early badge to the DEF CON conference, which immediately follows Black Hat. All eight versions of this year's badge, which comes with four AA batteries, sported an Egyptian theme, and went under immediate scrutiny by legions of conference-goers. As always, the conference badge's onboard hardware and software are hackable, though figuring out exactly how is left to whiz kids eager to demonstrate their prowess.

Neil Stephenson, author of such books as Snow Crash, Cryptonomicon, and the Baroque Cycle trilogy, gave the closing-day keynote at Black Hat, detailing his love of swordplay, gaming, next-generation rockets, and the history of encryption, although the one-time PGP user said he'd dropped email encryption owing to the lack of participants.

Discussing the difficulty of future-proofing his books, given the speed at which technology changes, Stephenson noted that, on the advice of a friend who read a draft of his since-published README, he replaced every mention of iPhone, cellphone, or other name-branded mobile communications device with the simple word "phone."

Google and Facebook may offer bug bounties, but Microsoft broke into the "cash for security code" movement with its inaugural BlueHat Prize, hosted at the Marquee nightclub in Las Vegas. "For our challenge to the security researcher community, we said, can you focus on defensive techniques that can focus on entire classes of attacks, instead of finding one-off vulnerabilities," said Mike Reavey, director of the Microsoft Security Response Center, in an interview at Black Hat. "And we put a quarter of a million dollars on the table, because we knew it's hard to do."

The winning submission, together with $200,000 of the prize money and mountains of free confetti, went to Columbia University graduate student Vasilis Pappas for kBouncer, which Microsoft described as "an efficient and fully transparent ROP [return-oriented programming] mitigation technique."

Reports

Comments

pjs880@hotmail.com

User Rank: Apprentice

Thu, 08/02/2012 - 08:14

re: 11 Security Sights Seen Only At Black Hat

The whole conference looked like it was a blast to attend and learn some state of the art defensive techniques. I have to make it to one of these I would love to sit through most of these speakers that attend. I have heard many different opinions in what the key theme was at the Black Hat conference, did anyone attend? What was in your opinion the theme of the conference that you viewed?